Confoo 2012 - Web security keynote

790 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
790
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Confoo 2012 - Web security keynote

  1. 1. Web security Confoo Conference 2012 – MontréalAntonio Fontes (L7)David Mirza (Subgraph)
  2. 2. Syllabus• Who are we?• Why are we here? What has changed?• Motivations• Impacts• Opportunities: how can you/we help?
  3. 3. About us• Antonio• David
  4. 4. History• Fun pranks• Earlyattacks: host/network intrusion• Now: web application vulnerabilities
  5. 5. Now• OWASP Top 10 – XSS – SQLi – CSRF – OS Command injection – Etc..
  6. 6. Why?• Mature network/host layer security• All business logicis/has moved to the web – alongwith the data…• Web apps are THE remaining open door• More people understandthereis « value » – General awareness
  7. 7. Motivations• Money• Political/Ideological grounds• Fame, fun, curiosity• Industrial espionage• Supporting other forms of organized crime• State / Corporate surveillance• Randomness
  8. 8. Source: arstechnica.com / nov.2011
  9. 9. Do you feel motivated now?792 Euro = 1’051 CAD4 yearsoperation = 14m$  3.5m/year3.5m / 7 people  500’000 CAD/year  31’320Euro/month  40 times the avg. income
  10. 10. Impacts• Financial• Reputation• Health/integrity safety• Legal/Fines• Regulation / Compliance• Operations / Productivity
  11. 11. ImpactsAverage breach cost 7MWost incident costover $35 million
  12. 12. Impacts• Averagecost of a data breach (in Usm) $40.0 $30.0 Average $20.0 Maximum $10.0 $0.0 2010
  13. 13. Perception of Insecurity“I have a Mac”
  14. 14. What can we do about it?• Technical controls – Web application assessment • DAST • SAST • Hybrid – WAFs, IPSs, next generation firewalls, DLP• Process Controls – Risk assessment processes • SDLC • Penetration testing• Awareness! – Community: OWASP – Training
  15. 15. ConclusionAnalyze Design Implement Verify Deploy Respond Security Secure Security Incidentrequirements Secure coding testing Secure response design deployment Risk Design Vulnerability Code review management analysis Threat review Risk modeling assessment Penetration testing Training & awareness Policy / Compliance Governance (Strategy , Metrics) 21
  16. 16. Threat Horizon Cryptography in Web Applications Code Sharing Backdoored Code on RepositoriesMobile Application backends Data leaks / Password leaks Clickjacking / Redressing
  17. 17. Duo Panel• Questions?• Contact – David: @attractr / www.subgraph.com – Antonio: @starbuck3000 / www.L7securite.ch

×